Narrowly scope privileges for API service objects

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=129099520
2025-07-23 19:20:44 +02:00 · 2016-08-02 08:16:03 -07:00 · 2016-08-02 08:16:03 -07:00 · 37d30591ed
commit 37d30591ed
parent 9de287378b
9 changed files with 65 additions and 158 deletions
--- a/java/google/registry/request/BUILD
+++ b/java/google/registry/request/BUILD
@ -35,13 +35,13 @@ java_library(
    srcs = ["Modules.java"],
    visibility = ["//visibility:public"],
    deps = [
-        ":request",
        "//java/com/google/api/client/extensions/appengine/http",
        "//java/com/google/api/client/googleapis/auth/oauth2",
        "//java/com/google/api/client/googleapis/extensions/appengine/auth/oauth2",
        "//java/com/google/api/client/http",
        "//java/com/google/api/client/json",
        "//java/com/google/api/client/json/jackson2",
+        "//java/com/google/common/base",
        "//third_party/java/appengine:appengine-api",
        "//third_party/java/dagger",
        "//java/google/registry/config",
--- a/java/google/registry/request/DelegatedOAuthScopes.java
+++ b/java/google/registry/request/DelegatedOAuthScopes.java
@ -1,27 +0,0 @@
-// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request;
-
-import java.lang.annotation.Documented;
-import java.util.Set;
-import javax.inject.Qualifier;
-
-/**
- * Dagger qualifier for the {@link Set} of OAuth2 scope strings used for authorization on APIs that
- * are connected to using a delegated user account (the serviceAccountUser in GoogleCredential).
- */
-@Qualifier
-@Documented
-public @interface DelegatedOAuthScopes {}
--- a/java/google/registry/request/Modules.java
+++ b/java/google/registry/request/Modules.java
@ -31,6 +31,7 @@ import com.google.appengine.api.urlfetch.URLFetchService;
 import com.google.appengine.api.urlfetch.URLFetchServiceFactory;
 import com.google.appengine.api.users.UserService;
 import com.google.appengine.api.users.UserServiceFactory;
+import com.google.common.base.Function;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
@ -40,6 +41,7 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.Set;
 import javax.inject.Named;
+import javax.inject.Provider;
 import javax.inject.Singleton;

 /** Dagger modules for App Engine services and other vendor classes. */
@ -124,20 +126,41 @@ public final class Modules {
  @Module
  public static final class AppIdentityCredentialModule {
    @Provides
-    static AppIdentityCredential provideAppIdentityCredential(@OAuthScopes Set<String> scopes) {
-      return new AppIdentityCredential(scopes);
+    static Function<Set<String>, AppIdentityCredential> provideAppIdentityCredential() {
+      return new Function<Set<String>, AppIdentityCredential>() {
+        @Override
+        public AppIdentityCredential apply(Set<String> scopes) {
+          return new AppIdentityCredential(scopes);
+        }
+      };
    }
  }

  /**
   * Dagger module causing Google APIs requests to be authorized with your GAE app identity.
   *
-   * <p>You must also use the {@link AppIdentityCredential} module.
+   * <p>You must also use the {@link AppIdentityCredentialModule}.
   */
  @Module
  public abstract static class UseAppIdentityCredentialForGoogleApisModule {
    @Binds
-    abstract HttpRequestInitializer provideHttpRequestInitializer(AppIdentityCredential credential);
+    abstract Function<Set<String>, ? extends HttpRequestInitializer>
+        provideHttpRequestInitializer(Function<Set<String>, AppIdentityCredential> credential);
+  }
+
+  /**
+   * Module indicating Google API requests should be authorized with JSON {@link GoogleCredential}.
+   *
+   * <p>This is useful when configuring a component that runs the registry outside of the App Engine
+   * environment, for example, in a command line environment.
+   *
+   * <p>You must also use the {@link GoogleCredentialModule}.
+   */
+  @Module
+  public abstract static class UseGoogleCredentialForGoogleApisModule {
+    @Binds
+    abstract Function<Set<String>, ? extends HttpRequestInitializer>
+        provideHttpRequestInitializer(Function<Set<String>, GoogleCredential> credential);
  }

  /**
@ -160,6 +183,7 @@ public final class Modules {
  public static final class GoogleCredentialModule {

    @Provides
+    @Singleton
    static GoogleCredential provideGoogleCredential(
        HttpTransport httpTransport,
        JsonFactory jsonFactory,
@ -172,6 +196,17 @@ public final class Modules {
      }
    }

+    @Provides
+    static Function<Set<String>, GoogleCredential> provideScopedGoogleCredential(
+        final Provider<GoogleCredential> googleCredentialProvider) {
+      return new Function<Set<String>, GoogleCredential>() {
+        @Override
+        public GoogleCredential apply(Set<String> scopes) {
+          return googleCredentialProvider.get().createScoped(scopes);
+        }
+      };
+    }
+
    /**
     * Provides a GoogleCredential that will connect to GAE using delegated admin access.  This is
     * needed for API calls requiring domain admin access to the relevant GAFYD using delegated
@ -183,14 +218,12 @@ public final class Modules {
    static GoogleCredential provideDelegatedAdminGoogleCredential(
        GoogleCredential googleCredential,
        HttpTransport httpTransport,
-        @DelegatedOAuthScopes Set<String> scopes,
        @Config("googleAppsAdminEmailAddress") String googleAppsAdminEmailAddress) {
      return new GoogleCredential.Builder()
          .setTransport(httpTransport)
          .setJsonFactory(googleCredential.getJsonFactory())
          .setServiceAccountId(googleCredential.getServiceAccountId())
          .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
-          .setServiceAccountScopes(scopes)
          .setServiceAccountUser(googleAppsAdminEmailAddress)
          .build();
    }
--- a/java/google/registry/request/OAuthScopes.java
+++ b/java/google/registry/request/OAuthScopes.java
@ -1,24 +0,0 @@
-// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request;
-
-import java.lang.annotation.Documented;
-import java.util.Set;
-import javax.inject.Qualifier;
-
-/** Dagger qualifier for the {@link Set} of OAuth2 scope strings, used for API authorization. */
-@Qualifier
-@Documented
-public @interface OAuthScopes {}